Amidst the controversy surrounding Uber’s 2017 data breach of over 57 million users’ information, one voice has remained relatively silent. The Personal Data Protection Commission (‘PDPC’), formed in 2013 under the auspices of the Personal Data Protection Act 2012 (‘PDPA’), has to date only issued broad statements about taking ‘a serious view of data breaches’ and indicated that it is ‘investigating whether Uber has breached the data protection provisions of the PDPA’. The PDPC’s handling of Uber’s breach of nearly 400,000 Singaporeans’ data, Singapore’s largest breach of personal data to date, has drawn intense scrutiny from a range of government, private, and tech-linked stakeholders. The PDPA’s position is rendered even more complex because it seeks to traverse the simmering tensions between technological progress and personal information, personal data and personal privacy, and ultimately how to characterise the value Singaporean society places on personal information.
The Law As It Stands
The PDPA promulgates a plethora of obligations on persons and entities for the collection and use of personal data. Notably, consent must be obtained before collection or use, the purposes the data can be collected for are limited and must be disclosed, and persons must be notified if an organisation intends to collect or use their data. The statutory provisions also impose data accuracy and protection obligations on holders.
The bare bones of the legislation are fleshed out by the judicial decisions of the PDPC. Professor Warren Chik, an academic in the data protection field, has suggested that it has adopted a broadly ‘purposive and protective’ interpretation of its powers.[1] For instance, in PDPC v Aviva, Commissioner Tan Kiat How judged that an organisation could not fulfil its obligations under the PDPA with a ‘high-level’ and generic ‘Data Policy’ which over-relied on employee discretion.[2] Similarly, in PDPC v The Cellar Door,[3] the PDPA’s provisions that data handled by a data intermediary or subsidiary entity would be regarded as having been handled by the parent organisation itself were given effect despite a convoluted corporate structure with numerous subsidiaries. This illustrates how the PDPA precludes using intermediaries to buffer and isolate the parent organisation, highlighting the broad arc of protective decisions. Finally, in PDPC v K Box Entertainment, the PDPC illustrated a willingness to adopt a holistic approach in ascertaining the adequacy of a company’s protection policy, holding that it would demand evidence of the robustness of a data policy and whether or not it was being complied with. These legal developments, often accompanied by significant fines, illustrate the teeth of the PDPA and the pragmatic application of its statutory obligations.
Areas for Improvement
This laudable approach is, however, constrained by the existing structure of the PDPA itself, and the ever-evolving nature of data use has understandably exposed gaps which may well require the legislative brush to fill.
First among the areas for improvement is the absence of any specific statutory requirement to notify affected parties and the authorities in the event of a data breach. This concern manifested itself most clearly in the abovementioned Uber data breach, during which around 400,000 sets of personal data were hacked. Uber, under no direct notification obligation based on the PDPA as it stood then (and presently-stands), paid US$100,000 to the hackers to stay quiet and destroy the data, leaving consumers none the wiser about the breach. This episode underscores that the abovementioned PDPA ‘Notification Obligation’, particularly in its present iteration, only protects the intentional collection or use of data, not where the use/dissemination of the data is unforeseen.
Granted, the PDPC raised a public consultation after the Uber breach and proposed the following criteria for breach notification: Notification to both affected individuals and the PDPC would be required if the data breach was ‘likely to result in significant harm or impact to the individuals to whom the information relate(s)’, and notification to the PDPC only would be required if the scale of the data breach was ‘significant’ even if the risk of impact was minimal. It was also clarified that a breach that impacted 500 individuals would be deemed ‘significant’ for this definition, and that the time limit for notification would be ‘as soon as practicable’, capped at 72 hours from the organisation becoming aware that it needed to report the breach.
Three difficulties persist, even with these proposals: First, one can legitimately question whether it ought to be the entity which lost the data in the first place which gets to decide whether or not ‘significant harm or impact’ has arisen, especially given potential cover-up incentives. Second, even if the data-holding entity genuinely wishes to apply the ‘significant harm or impact’ test, one may question what ‘significant’ entails – should only commonly foreseeable uses of the information be considered, or should some uses be deemed too remote? Third, the timeframe for notification arguably provides too much leeway for the data entity: It has thirty days from being made aware of the breach to determine whether it is obliged to notify consumers/the PDPC, and a subsequent three days to actually do so. This is subject to ambiguity as to when the entity is ‘aware’ of the breach: will a threat or ransom request suffice or must there be irrefutable evidence of a breach? Must specific details pertaining to the size or ‘significance’ of the breach be elucidated or will mere knowledge that one has occurred suffice? Granted, these are still proposals, so some degree of ambiguity is inescapable, but insofar as further clarification is not provided and the law remains as it is at present, the scope of data protection law in the field of breach-notification could be buttressed further.
Another area for improvement is the continued permittance of companies to use overly-broad grants of consent from terms and conditions or end-user licences to circumvent the consent/notification of purpose requirements. It remains widespread practice to provide hyperlinks to densely jargonistic ‘terms and conditions’ which provide that clients are taken to grant consent for use of their data for ‘all relevant business purposes’ by using the product. These sweeping grants of consent remain viable sidesteps against the existing PDPA regime, but this is exacerbated by proposed weakening of the consent-governance framework. In its 2018 Public Consultation Responses, the PDPC proposed, inter alia, allowing businesses to simply notify the individual of the purpose of collection at the time of collection (without the need to gather specific consent) if the collection, use, or disclosure of personal data was not expected to have an adverse impact on the individuals. Even setting aside the question of whether companies were best placed to ascertain whether there was likely to be an adverse impact on individuals, the robustness of the consent requirement can be questioned if so many avenues exist for businesses to circumvent it. Granted, a balance should be struck with business interests, but i) more information has to be provided about the nature of an ‘adverse impact’ test, ii) the consent requirement should not be rendered utterly otiose by these sidesteps, and iii) the pace of mergers and acquisitions in the tech sector (such as Grab’s takeover of Uber) mean that consent has to be considered not just in consumer-company relationships, but consumer-company-acquiring company relations, particularly since consenting to one company holding one’s data does not necessarily entail consenting to its acquirer holding that data.
Moving Forward
Having outlined the structure and some potential angles for development of the PDPA in its present incarnation, one should not lose sight of the underlying tensions the PDPA seeks to manage.
First, it aims to strike a bold and pragmatic modus vivendi between technological progress and utility-creation, as well as the personal and sensitive nature of information. Against the backdrop of Cambridge Analytica’s data mining and other large-scale uses of data to influence political outcomes, the need to balance these two becomes all the more significant. One potential approach may be to grant exceptions from some of the more onerous protections if a company or entity is able to prove some kind of legitimate social or business good to an independent PDPC-established panel, though concerns of regulatory capture and how to gauge ‘social or business good’ are likely to accompany this. Chesterman has suggested that Singapore’s data protection regime, while highly nuanced, tends to be more business-friendly, though this balance continues to evolve with rapid technological and political developments.
Second, and more deeply embedded in the entire conversation on personal data, is the oftentimes philosophical contrast of personal data with personal privacy. Questions arise of whether there are forms of personal data which do not infringe on personal privacy, whether anonymising personal data can allow personal privacy to be protected, and whether it ought to be privacy as opposed to data which is more vigorously protected. Associated questions arise of whether a freestanding right to privacy should exist in Singapore, or whether some semblance of property right should exist over personal data. The philosophical underpinnings of precisely why we protect data and whether, as an extension, a broad freestanding right to personal privacy ought to be recognised, all come into play. Parent has suggested that privacy entails control over data pertaining to oneself, alleging an inextricable link between the two, while others like Posner have posited that the personal interests protected by privacy are economically inefficient. These philosophical ruminations do not yield clear answers, especially since even what privacy entails is contested, but they do question how our regulatory agencies ought to characterise the value Singaporean society places on personal information.
In sum, Singapore’s PDPA is likely to be buffeted by a plethora of technological and socio-political developments. From blockchain technologies touting secure data recording to political backlash at data-influenced elections worldwide, notions of big data permeate every aspect of technological development. Similarly, data’s seamless crossing of boundaries further strains the ability of national legislation to regulate its use. Singapore’s aspirations as a data hub in the region with forward-facing economic potential in this dimension have unsurprisingly influenced legislation like the PDPA, but one may question whether its electorate will continue countenancing a predominantly pro-business approach. Ultimately, a new compact navigating technology’s inexorable march will have to be reached, and the PDPA will continue to evolve en route.
[1] Chik, W. and Pang, J, ‘The Meaning and Scope of Personal Data Under the Singapore Personal Data Protection Act’ (2014) 26 Singapore Academy of Law Journal 354.
Image Credit: Image by William Cho, used under Creative Commons 2.0 Licensing without adaptation or modification.